vm
virtual machine directoryThe directory vm exists as a sub-directory to the file system root.
The vm directory is hidden by default. It will appear if supported virtual machines are detected. VM detection must be enabled by command-line argument.
The MemProcFS virtual machine (VM) detection and parsing is largely based on the works of @gerhart_x and his most awesome research presented on his blog Hyper-V Internals. The MemProcFS expands on this work by also supporting analysis of memory dump files. For live introspection of Hyper-V virtual machines LiveCloudKd and its MemProcFS plugin is recommended since it will also support writing to guest memory and additional types of virtual machines.
MemProcFS also support access to live VMWare virtual machines. MemProcFS is currently not able to parse VMWare from memory dump files.
MemProcFS support parsing of Hyper-V machines natively. VM parsing is only supported on 64-bit MemProcFS builds.
Virtual machines may be parsed from live memory (acquired with PCILeech DMA or memory acquisition drivers such as WinPMEM) or from memory dump files from a host operating system with active VMs.
Parsing virtual machines will allow for separate memory forensics of the virtual machines.
The MemProcFS virtual machine parsing should at the moment be considered as experimental. Please report any issues.
Virtual machine detection is not enabled by default. Virtual machine detection must be enabled with a command-line argument at startup.
Command-line | Description |
---|---|
-vm |
Detect and parse virtual machines and mount them under /vm. Windows virtual machines will be mounted as a full MemProcFS virtual file system. |
-vm-basic |
Detect and parse virtual machines and mount them under /vm. Only the virtual machine physical memory will be exposed. |
-vm-nested |
Detect and parse virtual machines and mount them under /vm. Windows virtual machines will be mounted as a full MemProcFS virtual file system. Also detect additional virtual machines inside the virtual machines. |
-forensic [1-4] |
Forensic mode will automatically enable virtual machine detection similar to the -vm option. It is possible to combine forensic mode with either of the above options. |
Files in the vm/[subvm] directories are read/write as follows by the root MemProcFS instance.
The example shows browsing the sys folder and the computer name of the VM named T-WIN10-X64-1909-18363, as well as listings info file /vm/vm.txt.
[[resources/root_vm.png]]
The vm sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_vm.c in the vmm project. Substantial VM functionality is part of the MemProcFS core.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。